System and method for providing defence to a cryptographic device against side-channel attacks targeting the extended euclidean algorithm during decryption operations

ABSTRACT

A system, method and computer-readable storage medium for decrypting a code c using a modified Extended Euclidean Algorithm (EEA) having an iteration loop independent of the Hamming weight of inputs to the EEA and performing a fixed number of operations regardless of the inputs to the EEA thereby protecting a cryptographic device performing the decryption from side-channel attacks.

BACKGROUND OF THE INVENTION

The present invention relates generally to electronic cryptographytechnology, and in particular to protecting a security device againstside-channel attacks directed against computations of the ExtendedEuclidean Algorithm during decryption operations.

Electronic communication and commerce can be powerful yet dangeroustools. With the wide-spread availability of network technology, such asthe Internet, there is an ever increasing use of online tools forcommunication and commerce. Every year more users find it easier orquicker to conduct important transactions, whether in the form ofcorrespondence or commerce, using computers and computer networks.However, there is always the risk that the security of electronictransactions is compromised through interception by third parties who donot have the right to partake in the transactions. When malicious thirdparties obtain access to otherwise private transactions and data thereis risk of economic loss, privacy loss, and even loss of physicalsafety. Cryptography is one mechanism employed to avoid intrusion intothe privacy of electronic transactions and data.

Cryptography is a technology for hiding a message in the presence ofthird parties using mathematical techniques in which a message isencrypted in such a way that it can only be decrypted using a secret keythat should only be known by the recipient and/or sender of a message.

Cryptographic algorithms have inputs and outputs. In the case ofencryption, the input is a message that is to be protected in plaintext.The plaintext message is manipulated by the cryptographic algorithm toproduce a ciphertext, the output. To produce the ciphertext thecryptographic algorithm performs certain mathematical operations thatinclude the use of a secret key. The key may be a shared secret, e.g.,between a sender and recipient, or may be a private key held by therecipient.

Traditionally, both sender and recipient of a cryptographic message wasconsidered secure. Cryptography's primary use was to transmit an encodedmessage from the sender to the recipient without fear that anintermediary would be able to decode the message. If an attacker has noaccess to the sender's or recipient's cryptography devices, the attackeris limited to using the encoded message itself, or possible an encodedmessage and a corresponding plaintext message, to discern thecryptographic key used to encode or decode the message. However, if theattacker has access to the cryptographic device, the picture changesdramatically.

One mechanism of ensuring that a private key is indeed kept private isto store the private key and any related key material on a secureportable device, e.g., a smart card or a mobile device. A smart card isa small tamper resistant computer often in the form of a credit cardsized and shaped package. Smart cards may be used to store cryptographickeys and cryptography engines for performing encryption, decryption, anddigital signatures.

In one example, a user may receive an encrypted message and uses hissmart card to decrypt the message by first authenticating to the smartcard and then passing the message to the smart card for decryption. Ifauthentication is successful, the smart card may use a cryptographic keystored on the card, and a corresponding cryptography engine, to decryptthe message and provide the decrypted message to the user. Similarly, ifa user wishes to cryptographically sign a message, the user may pass themessage to the user's smart card, which uses a cryptographic key of theuser to digitally sign the message and to provide the signature back tothe user or to a third party recipient.

If an attacker has access to the smart card, the attacker may makerepeated observations of the execution of the cryptographic algorithmsthat may be used to discern the secrets stored on the smart card,specifically secret cryptographic keys stored on the smart card. Onesuch attack is the so-called side-channel attack.

Side-channel attacks make use of the program timing, power consumptionand/or the electronic emanation of a device that performs acryptographic computation. The behavior of the device (timing, powerconsumption and electronic emanation) varies and depends directly on theprogram and on the data manipulated in the cryptographic algorithm. Anattacker could take advantage of these variations to infer sensitivedata leading to the recovery of a private key.

Many currently popular assymetric crypto systems, e.g., the RSA([Rivest] Rivest, Shamir, and Adleman (A Method for Obtaining DigitalSignatures and Public-Key Cryptosystems, MIT Memo MIT/LCS/TM-82, 1977.https://people.csail.mit.edu/rivest/Rsapaper.pdf, accessed, Mar. 10,2016), derive their security from the difficulty of factoring integersand finding the discrete log of a number. However, such systems aresomewhat inefficient due to the requirement of raising a number to apower and their cryptographic primitives are somewhat vulnerable toattack on quantum computers. For example, integer factorization ofproducts of large prime numbers, the foundation of many public keycryptography systems, is considered computationally infeasible onordinary digital computers, yet may be solved relatively efficiently onquantum computers.

Code based cryptography, introduced by R. McEliece in 1978 is apotential candidate to replace the asymmetric primitives, which arethreatened by quantum computers ([McEliece] McEliece, Robert J. (1978).“A Public-Key Cryptosystem Based On Algebraic Coding Theory” (PDF). DSNProgress Report 44: 114-116. Bibcode: 1978DSNPR . . . 44 . . . 114M,http://ipnpr.jpl.nasa.gov/progress_report2/42-44/44N.PDF, accessed on,Mar. 16, 2016). The family of codes proposed by McEliece, namely thebinary Goppa codes has been considered secure for more than 30 years andallows very fast encryption. Relying on other assumptions thannumber-theory problems such as the discrete logarithm problem andinteger factorization is a very positive characteristic of code basedprimitives. Its major drawback lies in the size of the public keys.

Code-based cryptography relies on the hardness of decoding, that isrecovering a message m and an error e when given only the encodedmessage c, where c=mG+e and G (for m in F_(q) ^(k), G in F_(q) ^(kn) ande in F_(q) ^(n)). The error weight is critical for security. Contrary tothe public parameters of the code, which are fixed at set up by anexternal entity, the error may vary at each encryption, and may even bechosen by any public user in some situations.

One drawback to code based cryptography is vulnerability to side-channelattacks. The vulnerability arises in most of the implementations ofMcEliece cryptography, because the operation flow of the decryption isstrongly influenced by the error vector, but no information is knownabout the error vector when starting decryption. From an attacker'spoint of view, this is a favorable situation. It means that the observedor manipulated device may leak information before any detection of theattack. These security aspects were addressed by various authors, whoexplained that a device implementing an unprotected decryption is proneto attacks on the messages (see e.g., [Shofan] A. Shoufan, F. Strenzke,H. G. Molter, and M. Stottinger. A Timing Attack against PattersonAlgorithm in the McEliece P K C. In D. Lee and S. Hong, editors, ICISC,volume 5984 of Lecture Notes in Computer Science, pages 161-175.Springer, 2009; [Avanzi] R. Avanzi, S. Hoerder, D. Page, and M.Tunstall. Side-channel attacks on the McEliece and Niederreiterpublic-key cryptosystems. J. Cryptographic Engineering, 1(4):271-281,2011). and on the key (See e.g., [Strenzke 2010] F. Strenzke. A TimingAttack Against the Secret Permutation in the Mceliece PKC. InProceedings of the Third International Conference on Post-QuantumCryptography, PQCrypto'10, pages 95-107, Berlin, Heidelberg, 2010.Springer-Verlag; [Strenzke 2013] F. Strenzke. Timing Attacks against theSyndrome Inversion in Code-Based Cryptosystems. In P. Gaborit, editor,PQCrypto, volume 7932 of Lecture Notes in Computer Science, pages217-230. Springer, 2013.). Although countermeasures were proposedagainst some of the leakages, the situation is still unsatisfactory, asit is noticed in the conclusion of [Strenzke 2013].

The McEliece Cryptosystem is described in [Au] Au, Susanne et al., TheMcEliece Cryptosystem,http://www.math.uml.edu/˜s-jeverso2/McElieceProject.pdf, accessed onMar. 10, 2016 and in [Georgieva] Georgieva, Mariya and de Portzamparc,Frédéric, Toward Secure Implementation of McEliece Decryption, COSADE2015, https://www.cosade.org/proceedings/paper_S04_3.pdf, accessed onMar. 10, 2016, incorporated herein by reference.

In summary, in the McEliece cryptosystem, decoding of an encoded messagec requires the determination of the error e. The principal methods forobtaining the error e include using the Extended Euclidean Algorithm(EEA) to compute an error locator polynomial σ(z). More details of theEEA are provided herein below. The EEA is particularly vulnerable toside-channel attacks, for example, because the execution time of the EEAdepends on the Hamming weight of the error e. Thus, side-channelleakages may be used to deduce possible values for e.

Prior efforts to protect a cryptography device performing McEliecedecryption include efforts to ensure that the EEA computation performs acomputation both on the ciphertext c and on a twisted ciphertext c*^(i)such that the execution time for c and c*^(i) are the same ([Shoufan]).However, such a defense does not protect against other leakages besidesexecution time.

Strenske ([Strenzke 2013] and [Strenske 2010] studied the securityexecution of the McEliece decryption in the special case of decodingerrors of weight 4 or 6. However, Strenske did not provide acountermeasure applicable to the general case.

From the foregoing it will be apparent that, while McEliece cryptographyprovides an attractive alternative to RSA and other popular assymetriccryptography systems, there is still a need for an improved technologyto provide a secure mechanism that is computationally efficient, thatdoes not provide side-channel leakage that may be exploited inside-channel attacks to deduce the error e in the encoding of a messagem when performing cryptographic operations using the Extended EuclideanAlgorithm, for example, decryption of McEliece codes.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic illustration of a host computer with a portablesecurity device, e.g., a smart card, connected thereto for performingcryptographic services through connection over a network to one or moreservers.

FIG. 2 is a schematic illustration of a portable security device.

FIG. 3 is a schematic illustration of programs stored in a memory of theportable security device of FIG. 2.

FIG. 4 is a schematic illustration illustrating the encryption andcorresponding decryption of a message according to the McEliececryptography system.

FIG. 5 illustrates the steps involved in decrypting a message encryptedusing the McEliece cryptography system.

FIG. 6 is a pseudocode section illustrating the standard method forperforming an Extended Euclidean Algorithm as may be employed indecryption of a message in the McEliece cryptography system

FIG. 7 is a pseudocode section illustrating a modified ExtendedEuclidean Algorithm (EEA) that when employed by a cryptography deviceimplementing the McEliece cryptography system renders the cryptographydevice less prone to side-channel attack targeting the EEA.

DETAILED DESCRIPTION OF THE INVENTION

In the following detailed description, reference is made to theaccompanying drawings that show, by way of illustration, specificembodiments in which the invention may be practiced. These embodimentsare described in sufficient detail to enable those skilled in the art topractice the invention. It is to be understood that the variousembodiments of the invention, although different, are not necessarilymutually exclusive. For example, a particular feature, structure, orcharacteristic described herein in connection with one embodiment may beimplemented within other embodiments without departing from the spiritand scope of the invention. In addition, it is to be understood that thelocation or arrangement of individual elements within each disclosedembodiment may be modified without departing from the spirit and scopeof the invention. The following detailed description is, therefore, notto be taken in a limiting sense, and the scope of the present inventionis defined only by the appended claims, appropriately interpreted, alongwith the full range of equivalents to which the claims are entitled. Inthe drawings, like numerals refer to the same or similar functionalitythroughout the several views.

In an embodiment of the invention, a technology is provided that enablesthe use of smart cards, or other portable security devices, to be usedto digitally sign documents or to decrypt encrypted documents ormessages using private keys stored on the smart cards in a manner thatefficiently reduces the risk of differential power analysis attacks.

Smart cards are plastic cards with an embedded microprocessor and asecure storage. They are portable, secure, and tamper-resistant. Smartcards provide security services in many domains includingtelecommunication, banking, commerce, and citizen identity. Smart cardscan take different forms, such as credit card shaped cards withelectrical connectors to connect the smart card to a smart card reader,USB tokens with embedded smart cards, and SIM cards for use in mobiletelephones and tablet devices. Smart cards are used herein as examplesof portable security devices that may be used in implementations of thetechnology described herein. Other examples of portable security devicesinclude smart memory cards, flash memory, etc. In a preferredembodiment, the portable security device has a processor, a memory forstoring programs and data, and some security features to make the devicerelatively tamper-proof. Smart cards are used herein as examples of suchdevices.

While the mechanism for masking a cryptographic calculation describedherein may be used advantageously in smart cards and other portablesecurity tokens used for performing cryptographic calculations, the samemechanisms may also be used with other cryptographic processors. Thus,smart cards are used herein for illustrative purposes only.

Cryptographic operations, such as encryption and decryption, areexamples of functions that smart cards provide. The smart card storesprivate or shared secret keys in its secure storage and performscryptographic operations to generate a digital signature for a giveninput or to decrypt a given input. A smart card works with a hostdevice, such as a personal computer (PC), cell phone, tablet device orbanking terminal. A PC application, such as an email client or a webbrowser, typically works with a smart card to sign, encrypt, or decrypta document. The cryptographic operation may be part of achallenge-response mechanism for user authentication. The PC applicationand the smart card interact through some cryptographic API calledmiddleware, which is designed to communicate with the smart card. Inthis scenario, the smart card provides services locally to the PC.

FIG. 1 is a schematic illustration of a network 111 connecting a hostcomputer 103 with a portable security device 109, e.g., a smart card,connected thereto, to one or more remote servers 113. The host computer103 is operated by a user 101 who interacts with one of the servers 113via a web browser window 105 of a web browser. In the example scenarioillustrated in FIG. 1, the smart card 109 provides the cryptographicoperations on behalf of the user 101, e.g., to cryptographically signdocuments, to decrypt messages received from the relying party 113, orto perform a cryptographic operation as part of a challenge-responseauthentication mechanism.

While FIG. 1 provides an illustration of a scenario in whichcryptography may play an important role, there are many other importantuses for cryptography. Thus, the technology described herein is notlimited in its application to the example of use, which is illustratedin FIG. 1.

FIG. 2 is a schematic illustration of a portable security device 109,for example, a smart card. The portable security device 109 may includea processor 201 connected via a bus 202 to a random access memory (RAM)203, a read-only memory (ROM) 204, and a non-volatile memory (NVM) 205.The portable security device 109 further includes an input/outputinterface 207 for connecting the processor 201, again typically via thebus 202, to a connector 211 by which the portable security device 109may be connected to the host computer 103.

In alternative embodiments, the connection between the host computer 103and the portable security device 109 is wireless, for example, usingnear-field communication (NFC) or other radio or microwave communicationtechnologies.

The NVM 205 and/or ROM 204 may include computer programs 301 as isillustrated in FIG. 3. While it is here depicted that the computerprograms 301 are all co-located in the ROM 204 or the NVM 205, in actualpractice there is no such restriction as programs may be spread out overmultiple memories and even temporarily installed in RAM 203.Furthermore, the portable security device 109 may include multiple ROMsor NVMs. The programs 301 include operating system programs as well asapplication programs loaded onto the portable security device 109. TheNVM 205 or ROM 204 may also contain private data, such as a private key209 or a shared secret key 210, stored either in its basic form or inderived quantities.

The portable security device 109 programs 301 may include a cryptographymodule 213, a user authentication module 215, a communications module217, and the operating system OS 219.

Thus, the portable security device 109 may receive a document or messagevia the connector 211. The processor 201, by executing instructions ofthe cryptography module 213, may digitally sign the document/message ormay decrypt the document/message using the private key 209 or sharedsecret key 210. Using functionality provided through the communicationsmodule 217, the processor 201 may receive and transmit communicationswith the host computer 103.

The technology presented herein is useful for protecting cryptographicdevices that employ the Extended Euclidean Algorithm during decryptionoperations of messages encrypted using cryptography systems based oncoding theory, for example, in the manner of the McEliece cryptosystem.The primary purpose of coding theory is not the encryption of message.Rather, it is useful in transmitting messages accurately overcommunications channel that are not 100% perfect. In summary, a messagemay be encoded in such a way that even if the message is not receivedperfectly, the recipient may decode the message. Additional informationis attached to each message that allows a recipient to correct a messageif some of the bits are incorrectly received. One example of such anerror-correcting coding system used for cryptography is the McEliececoding system introduced in 1978 [McEliece]. The McEliece cryptosystemis described very well in [Au] and in [Georgieva].

FIG. 4 is a flow-chart illustrating flow from the encryption of aplaintext message m into a code c followed by the decryption of the codec back into the plaintext message m, for example, using the McEliececryptosystem.

Algorithm 1, below, describes the McEliece cryptosystem instantiatedwith a binary Goppa code, i.e., q=2. (Details of the McEliececryptosystem are beyond the scope of this document; the reader isreferred to [McEliece], [Georgieva] and [Au] for additionaldescription.) The public key is G, a k×n matrix over a field

_(q) of size q whose rows generate a Goppa code of length n anddimension k. G is described by secret elements Xε

_(q) _(m) ^(n) and a polynomial g(z) ε

_(q) _(m) [z] of degree t wherein m and t are parameters such thatn−mt≦0.

Algorithm 1 McEliece Cryptosystem PARAMETERS : Field size q, code lengthn and dimension k, parameters m,i such that n − mt ≦ 0. Plaintext space: 

 _(q) ^(k). Ciphertext space: 

 _(q) ^(m). KEYGEN : Pick a support x ∈ 

 _(q) ^(m) ^(n), a polynominal g ∈ 

 _(q) ^(m)(x) of degree t, G a generator matrix of 

 (x,g), PUBLIC KEY : G_(pub) = SGP, t the correction capacity of thecode

 (x,g). PRIVATE KEY : T_(i) a t-decoder for 

 (x,g) , S a random full rank (n − k) × (n − k) matrix , P a random n ×n permutation matrix. ENCRYPT : DECRYPT :  1: Input m ∈ 

 _(q) ^(k).  1: Input c ∈ 

 _(q) ^(n).  2: Generate random e ∈ 

 _(q) ^(n) with  2: Compute {circumflex over (m)} = T_(i)(cP⁻¹)),  w_(H)(e) = t.  3: If decoding succeeds, output S⁻¹ {circumflex over(m)}, else  3: Output c = mG_(pub) + e.   output ⊥.

In a key generation step 401, a public key G_(pub) is generated. Thepublic key G_(pub) is generated from a random full rank (n−k)×(n−k)matrix S, a random n×n permutation matrix and a generator matrix of g(x,g), such that G_(pub)=SGP. The corresponding private key is T_(t) at-decoder for g(x, g), S, and P.

A plaintext message m 403ε

_(q) ^(k) is encrypted, step 405, by generating a random error e ε

_(q) ^(k) having a Hamming weight t. The output encrypted message 408 cε

_(q) ^(n) has the value c=mG_(pub)+e.

The encrypted message c 408 is transmitted over a transmission channel,e.g., a network 407, to a recipient. The “transmission” may be thestorage of the encrypted message c in a storage medium where therecipient may retrieve it, e.g., on a portable security device 109,which may be a mass storage device or a smart card, for example.

Decrypting, step 409, the message c 408 back into a plaintext message411 is illustrated in FIG. 5.

A cryptographic device, e.g., the portable security device 109, receivesor retrieves the encrypted message c 408. A decryption module 501 of thecryptography module 213 decrypts the message c 408. There are severalpossible decoders T_(t) for a binary Goppa code. Suppose one wants todecode an encoded message mε

_(q) ^(k) with errors e: c=mG+e, where the Hamming weight of e (denotedherein as w_(H)(e)) satisfies w_(H)≦t. e may be written as

e=( . . . ,0,e _(i) ₁ ,0, . . . ,0,e_(i) _(1w) ,0, . . . ).

There are several approaches to decrypting a message c 408 that has beenencrypted using the McEliece cryptography system. One such method usesthe fact that Goppa codes belong to the larger class of alternant codes.That method is referred to herein as the Alternant Decoder. Another one,called the Patterson Algorithm is specific to binary Goppa codes. Commonto both are the following high-level steps:

-   -   Compute a polynomial syndrome S(z), Step 503. S(z) is a        univariate polynomial deduced from c, but depending solely on e.    -   Use the Extended Euclidean Algorithm (EEA) to compute an error        locator polynomial σ(z), Step 505. The roots of the error        locator polynomial σ(z) are related to the support elements        x_(ij) in the error positions ij.    -   Determine the roots of σ(z) and deduce the error e therefrom.        Step 507. eε        ₂ ^(n) from which it follows that e_(ij)≠0 implies that        e_(ij)=1.

The polynomial syndromes, key equations and their resolutions arespecific to each method. Table I, below, summarize for the AlternantDecoder and the Patterson Decoder:

TABLE I Alternant Decoder and Patterson Decoder Alternant DecoderPatterson Decoder Polynomial syndrome Polynominal syndrome${S_{{Alt},e}(z)} = {\sum_{ = 0}^{{2t} - 1}{\left( {\sum_{i = 0}^{n - 1}{c_{i}{g\left( x_{i} \right)}^{- 2}x_{i}^{}}} \right){z^{}.}}}$${S_{{Gop},e}(z)} = {\sum_{i = 0}^{n - 1}{\frac{c_{i}}{z - x_{i}}\mspace{14mu} {mod}\mspace{14mu} {{g(z)}.}}}$Polynomials to be recovered Polynomials to be recovered${{\sigma_{{inv},e}(z)} = {\prod\limits_{j = 1}^{w}\left( {1 - {zx}_{i_{j}}} \right)}},{{\omega_{{inv},e}(z)} = {\sum\limits_{j = 1}^{w}{e_{i_{j}}{g\left( x_{i_{j}} \right)}^{- 1}{\prod\limits_{\underset{s \neq j}{s = 1}}^{w}{\left( {1 - {zx}_{i_{s}}} \right).}}}}}$${{{\sigma_{e}(z)} = {\prod\limits_{j = 1}^{w}\left( {z - x_{i_{j}}} \right)}},{{\omega_{e}(z)} = {\sum\limits_{j = 1}^{w}{\prod\limits_{\underset{s \neq j}{s = 1}}^{w}{\left( {z - x_{i_{s}}} \right).}}}}}\;$Key equation Key equation (σ _(inv,e) , ω_(inv,e)) unique solution of(σ₁, σ₂) unique solution of $\quad\left\{ \begin{matrix}{{{\omega_{{inv},e}(z)} = {{\sigma_{inv}(z)}{S_{{Alt},e}(z)}\mspace{14mu} {mod}\mspace{14mu} z^{2t}}},} \\{{{\deg \left( \sigma_{inv} \right)}\left\lfloor {t/2} \right\rfloor},{{\deg \left( \omega_{inv} \right)} < {\left\lfloor {t/2} \right\rfloor.}}}\end{matrix} \right.$ $\quad\left\{ {{\begin{matrix}{{{{\tau (z)}{\sigma_{2}(z)}} = {{\sigma_{1}(z)}\mspace{14mu} {mod}\mspace{14mu} {g(z)}}},} \\{{{\deg \left( \sigma_{1} \right)}\left\lfloor {t/2} \right\rfloor},{{\deg \left( \sigma_{2} \right)} < \left\lfloor {t/2} \right\rfloor},}\end{matrix}{\tau (z)}} = {\sqrt{{S_{{Gop},e}(z)}^{- 1} + z}\mspace{14mu} {mod}\mspace{14mu} {{g(z)}.}}} \right.$Resolution Resolution EEA(z^(2t), S_(Alt,e), t) outputs 1. EEA(g(z),S_(Gop),_(e)(z), 0) (μσ_(inv), (−1)^(N) μω_(inv)), μ ∈ 

 , N 

 0. outputs (S_(Gop,e) ⁻¹ mod g), 2. EEA(g(z), τ, └t/2┘) outputs (σ₁,σ₂). Error recovery Error recovery σ_(e)(z) = z^(w)σ_(inv)(1/z).σ_(e)(z) = σ₁(z)² + zσ₂(z)², Find the roots of σ_(e). ω_(e) = σ_(e)S_(e)mod g. Find the roots of σ_(e).

Thus, in both the Alternate Decoder and in the Patterson Algorithm, theExtended Euclidean Algorithm plays an important role in determining theerror e.

FIG. 6 is a pseudo code 601 of the standard Extended EuclideanAlgorithm, also set forth in Table II, below:

TABLE II Standard Extended Euclidean Algorithm Input:  a(z), b(z),deg(a) ≧ deg(b), d_(fin) Output:  u(z), r(z) with b(z)u(z) = r(z)  moda(z) and deg(r) ≦ d_(fin)  1: r⁻¹(z) ← a(z), r₀(z) ← b(z),u⁻¹(z) ← 1,u₀(z) ← 0,  2: i ← 0  3: while deg(r_(i)(z)) > d_(fin) do  4:  i ← i + 1 5:  q_(i) ← r_(i−2)(z)/r_(i−1)(z)  6:  r_(i) ← r_(i−2)(z) −q_(i)(z)r_(i−1)(z)  7:  u_(i) ← u_(i−2)(z) − q_(i)(z)u_(i−1)(z)  8: endwhile  9: N ← i 10: return u_(N)(z), r_(N)(z)

Inputs to the Extended Euclidean Algorithm (EEA) are the polynomialsa(z), b(z), where deg(a)≧deg (b), and d_(fin), the polynomial degree atwhich a particular invocation of the EEA terminates.

Generally speaking, the EEA produces two polynomials u(z) and r(z) suchthat b(z)u(z)=r(z) mod a(z) with the deg(r)≦d_(fin).

It should be noted that in the standard EEA consists of a while loop inwhich successive polynomial divisions are performed. The number ofiterations of the while loop depends on the inputs a(z) and b(z).Furthermore, the complexity of the EEA is (deg(a)²). For these reasons,the standard form EEA, with a while loop as in Table II, is anattractive target for side-channel attack, because implicit in the aboveis that decryption is strongly influenced by the error vector.

According to a preferred embodiment, the EEA is performed using analgorithm that avoids the potential of side-channel leakages due tocomputation flow dependent on the inputs a(z) and b(z). FIG. 7 and TableIII present a pseudocode 701 for such an algorithm.

TABLE III An Extended Euclidean Algorithm with execution flowindependent of input polynomials Input: a(z) = z^(2t), b(z) = S_(e)(z),d = 2t Output: Û_(d)(z) = μz^(d−w) ^(U) ^((e)+1) σ_(inv)(z), {circumflexover (R)}_(d)(z) = μz^(d−w) ^(U) ^((e)+1) ω_(e)(z) for some μ ∈ 

_(q) _(m) *.   1: {circumflex over (R)}⁻¹(z) ← a(z), {circumflex over(R)}₀(z) ← zb(z),   2: Û⁻¹(z) ← 1, Û₀(z) ← 0, $\left. \begin{matrix}{\mspace{14mu} {3\text{:}}} & \left. \delta\leftarrow{- 1.} \right. \\{\mspace{14mu} {4\text{:}}} & {{{{for}\mspace{14mu} j} = 1},\ldots \mspace{11mu},{d\mspace{14mu} {do}}} \\{\mspace{14mu} {5\text{:}}} & {\mspace{31mu} {\left. \alpha_{j}\leftarrow{\hat{R}}_{{j - 1},d} \right.,\left. \beta_{j}\leftarrow{{\hat{R}}_{{j - 2},d}.} \right.}} \\{\mspace{14mu} {6\text{:}}} & {\mspace{31mu} \left. {{temp}_{R}(z)}\leftarrow{{z\left( {{\alpha_{j}{{\hat{R}}_{j - 2}(z)}} - {\beta_{j}{{\hat{R}}_{j - 1}(z)}}} \right)}.} \right.} \\{\mspace{14mu} {7\text{:}}} & {\mspace{31mu} \left. {{temp}_{U}(z)}\leftarrow{{z\left( {{\alpha_{j}{{\hat{U}}_{j - 2}(z)}} - {\beta_{j}{{\hat{U}}_{j - 1}(z)}}} \right)}.} \right.} \\{\mspace{14mu} {8\text{:}}} & {\mspace{31mu} {{{if}\mspace{14mu} \alpha_{j}} = {0\mspace{14mu} \left( {{{ie}\mspace{14mu} {\deg \left( {\hat{R}}_{j - 1} \right)}} < {\deg \left( {\hat{R}}_{j - 2} \right)}} \right)\mspace{14mu} {then}}}} \\{\mspace{14mu} {9\text{:}}} & {\mspace{59mu} \left. \delta\leftarrow{\delta + 1.} \right.} \\{10\text{:}} & {\mspace{31mu} {else}} \\{11\text{:}} & {\mspace{59mu} \left. \delta\leftarrow{\delta - 1.} \right.} \\{12\text{:}} & {\mspace{31mu} {{end}\mspace{14mu} {if}}} \\{13\text{:}} & {\mspace{31mu} {{{if}\mspace{14mu} \delta} < {0\mspace{14mu} {then}}}} \\{14\text{:}} & {\mspace{59mu} \left. \left( {{{\hat{R}}_{j}(z)},{{\hat{R}}_{j - 1}(z)}} \right)\leftarrow\left( {{{\hat{R}}_{j - 1}(z)},{temp}_{R}} \right) \right.} \\{15\text{:}} & {\mspace{59mu} \left. \left( {{{\hat{U}}_{j}(z)},{{\hat{U}}_{j - 1}(z)}} \right)\leftarrow\left( {{{\hat{U}}_{j - 1}(z)},{temp}_{U}} \right) \right.} \\{16\text{:}} & {\mspace{59mu} \left. \delta\leftarrow 0. \right.} \\{17\text{:}} & {\mspace{31mu} {else}} \\{18\text{:}} & {\mspace{59mu} \left. \left( {{{\hat{R}}_{j}(z)},{{\hat{R}}_{j - 1}(z)}} \right)\leftarrow\left( {{temp}_{R},{{\hat{R}}_{j - 2}(z)}} \right) \right.} \\{19\text{:}} & {\mspace{59mu} \left. \left( {{{\hat{U}}_{j}(z)},{{\hat{U}}_{j - 1}(z)}} \right)\leftarrow\left( {{temp}_{U},{{\hat{U}}_{j - 2}(z)}} \right) \right.} \\{20\text{:}} & {\mspace{59mu} \left. \delta\leftarrow{\delta.} \right.} \\{21\text{:}} & {\mspace{31mu} {{end}\mspace{14mu} {if}}} \\{22\text{:}} & {{end}\mspace{14mu} {for}}\end{matrix} \right\} \mspace{14mu} L$  23: return Û_(d)(z),{circumflex over (R)}_(d)(z)

In the EEA with regular execution flow as illustrated in FIG. 7 (TableIII), the while loop from the standard EEA of FIG. 6 (Table II) has beenreplaced with a for loop that depends solely on the degree of the higherdegree input polynomial. Furthermore, regardless of input, the samenumber and kind of operations are performed. Therefore, the regular flowEEA is less prone to side-channel attack.

As with the standard EEA algorithm (FIG. 6), the modified regular flowEEA algorithm (FIG. 7) accepts three inputs, a first polynomial σ(z), asecond polynomial b(z), and an iteration parameter d. The parameter d isa publically known parameter for the underlying decryption scheme. Forexample, for the alternant decoder for McEliece codes, the parameter dis 2t. Conversely, for the second EEA computation for the Pattersonalgorithm, the parameter d is [t/2].

In the pseudocode of FIG. 7 (and Table III), the regular flow EEA isadapted for the Alternant Decoder. Thus, the first input polynomial isz^(2t) and the corresponding termination parameter d is set to 2t, i.e.,2t is the number of iterations in the for loop as compared to in thestandard EEA, in which the max number of executions of the while loop is2t. The second input polynomial is the polynomial syndrome S_(e) (z)corresponding to the code c, i.e.,

S _(e)(z)=Σ_(l=0) ^(2t-1)(Σ_(i=0) ^(n-1) c _(i) g(x _(i))⁻² x _(i)^(l))z ^(l).

The for loop is executed 2 t times, regardless of the weight of eitherinput polynomial and, thus, is not dependent on the weight of the inputpolynomials whereas for the standard EEA with a while loop the number ofexecutions of the while loop depends on the inputs a(z) and b(z).

The modified EEA of FIG. 7 may also be used for the second EEAcomputation of the Patterson algorithm, i.e.,

${{EEA}\left( {{(z)},\tau,\left\lfloor \frac{t}{2} \right\rfloor} \right)}.$

The section below entitled Derivation of the Regular Flow EEAillustrates the derivation of the regular flow EEA from the standard EEAand that it is analogous to the standard EEA. As noted there, the outputfrom the standard EEA and the regular flow EEA are related as follows,for some με

_(q) _(m) *:

{circumflex over (R)} _(d)(z)=μz ^(d−w(e)+1) r _(N)(z)

Û _(d)(z)=μz ^(d−w(e)+1) u _(N)(z)

where w(e) is the Hamming weight of the error e. The above relationshipbetween the outputs of the regular flow EEA of FIG. 7 and the standardEEA is proved in [Georgieva], incorporated herein by reference.

The coefficient μ exists, which is a fact that is sufficient to proceedwith the McEliece decryption using the Alternant Decoder or for thesecond EEA computation of the Patterson Algorithm because these decodersare only concerned by the roots of the error locator polynomial σ_(e)(z)(and the roots of the output of EEA may be used to determine the rootsof the error locator polynomial σ_(e)(z)).

Considering the relationship

Û _(d)(z)=μz ^(d−w(e)+1) r _(N)(z)

if 0 is not an element of the support x (the case for the AlternantDecoder or for the second EEA computation of the Patterson Algorithm),then the roots (≠0) of Û_(d) (z) are exactly the same as the roots ofu_(N)(z)=σ_(inv)(z) and the roots can therefore be computed from theoutput of the regular flow modified EEA of FIG. 7.

For example, in the Alternant Decoder, the final step is:

σ_(e)(z)=z ^(ω)σ_(inv)(1/z)

Therefore, the output from the regular flow EEA of FIG. 7 may be used tocompute the roots of σ_(e)(z) and then to proceed with the decodingoperation to determine the error e.

Derivation of the Regular Flow EEA from the Standard EEA.

Here, we transform smoothly the standard EEA (Alg. 1) into successiveversion gaining in regularity (Step. 1 and Step. 2). We end up with Alg.2, which is simpler and more regular than all the previous ones.

Alg. 1 (Standard EEA):

Input:  a(z), b(z), deg(a) ≧ deg(b), d_(fin) Output:  u(z), r(z) withb(z)u(z) = r(z)  mod a(z) and deg(r) ≦ d_(fin)  1: r⁻¹(z) ← a(z),r₀(z) ←b(z),u⁻¹(z) ← 1, u₀(z) ← 0,  2: i ← 0  3: while deg(r_(i)(z)) > d_(fin)do  4:  i ← i + 1  5:  q_(i) ← r_(i−2)(z)/r_(i−1)(z)  6:  r_(i) ←r_(i−2)(z) − q_(i)(z)r_(i−1)(z)  7:  u_(i) ← u_(i−2)(z) −q_(i)(z)u_(i−1)(z)  8: end while  9: N ← i 10: return u_(N)(z), r_(N)(z)

Step 1 (Unrolling Euclidean Division).

We decompose each Euclidian division into a number of polynomialsubtractions. The idea is to kill the highest degree term withoutperforming field division depending only onδ_(i)=deg(q_(i)(z))=deg(r_(i−2))−deg(r_(i−1)). We explicit theintermediate values of the Euclidean division of R_(i−2)(z) byR_(i−1)(z), that we denote by R_(i) ⁽⁰⁾(z), R_(i) ^((δi+1))(z). To doso, we eliminate in each R_(i) ^((j))(z) (for 0≦j≦δ_(i)+1) the termz^(d) ^(i−2) ^(−j), whether the associated coefficient is zero or not.This is why we perform the Euclidean divisions in a way to avoid thedivisions by field elements. Consequently, the outputs are multiple ofthe outputs of Alg. 1 with the same inputs andΔ_(i)=deg(R_(i−2))−deg(R_(i−1))=deg(r_(i−2))−deg(r_(i−1))=δ_(i)

Alg. 2 (Euclidean division in left and step 1 (number of polynomialsubtractions) in right):

1: while deg(r_(i)(z)) > d_(fin) do  1: while deg(R_(i)(z)) > d_(fin) do2:  i ← i + 1  2:  i ← i + 1 3:  q_(i) ← r_(i−2)(z)/r_(i−1)(z) 3:  R_(i−2) ⁽⁰⁾(z) ← R_(i−2)(z), β_(i) ← LC 4:  r_(i) ← r_(i−2)(z) −q_(i)(z)r_(i−1)(z)    (R_(i−1)(z)) 5: end while  4:  Δ_(i) ←deg(R_(i−2)) − deg(R_(i−1))  5:  for j = 0,...,Δ_(i) do  6:   α_(i,j) ←R_(i,d) _(j−2)−j′^((j))  7:   R_(i−2) ^((j+1))(z) ← β_(i)R_(i−2)^((j))(z) −      α_(i,j)z^(Δ) _(i)−jR_(i−1)(z)  8:  end for 9:  R_(i)(z) ← R_(i−2) ^((Δ) _(i)+1)(z), 10: end while

Proposition 1: (Comparison of Alg. 1 and 2). Let a(z) and b(z) be twopolynomials with deg(a(z))≧deg(a(z)) and d a non-negative integer.u_(i)(z), v_(i,)(z), r_(i)(z),q_(i)(z) are intermediate values in Alg.1, and. U_(i)(z), V_(i,)(z), R_(i)(z), are intermediate values in Alg.2. It holds that, for all i=−1, . . . , N, there exists λ_(i) ε

_(q) _(m) * such that:

R _(i)(z)=λ_(i) r _(i)(z),

U _(i)(z)=λ_(i) u _(i)(z)

As a consequence,

Δ_(i) =deg(R _(i−2))−deg(R _(i−1))=deg(r _(i−2))−deg(r _(i−1))=δ_(i) forall i

There are two problems with Step 1. The first problem is that the innerfor loop has a variable length, and contains a multiplication z^(δ) ^(i)^(−(j−1))R_(i)(z), which depends on the iteration (we can killaccidentally not only the higher degree term but also terms of lowerdegree, which should be retained), which will produce a recognizablepattern. The second problem is that the while loop leads to a variablenumber of operations according to the input. It is not realizablebecause it requires that EEA has already been executed and observed.However, it is useful as an intermediate step leading to Step 2,described below.

Step 2 (Regular Polynomial Shift Pattern)

We perform the Euclidean division in such way that we only multiply theoperand by z at each for iteration. This can be done by splitting eachEuclidean division into two phases. The first phase L1 “re-aligns” theoperands {tilde over (R)}_(i−2) and {tilde over (R)}_(i−1) so that theyboth have same degree d=deg (R⁻¹(z))(=2t). Doing so, the second phase L2computes the polynomial subtractions (corresponding to Steps 1 andperform a shift “re-aligning” of the operands. A consequence is that thepolynomials {tilde over (R)}_(i)(z) are of the form z^(ki) R_(i)(z) andthe degrees d_(i) are lost. N is the number of iterations in the whileloop of EEA and Δ_(i) is the value of deg(R_(i−2))−deg(R_(i−1)) duringthe execution of EEA with step 1.

Step 2 (Pseudocode):

 1: for i = 1,...,N do  2:  {tilde over (R)}_(i−2) ⁽⁰⁾(z) ← {tilde over(R)}_(i−2)(z),  3:  for i = 1,...,Δ_(i) − 1 do  4:   {tilde over(R)}_(i−1)(z) ← z{tilde over (R)}_(i−1)(z) {close oversize brace} L₁ 5:  end for  6:  for j = 0,...,Δ_(i) do  7:   {tilde over (α)}_(i,j) ←{tilde over (R)}_(i,d) ^((j)), {tilde over (β)}_(i) ← {tilde over(R)}_(i−1,d).  8:   {tilde over (R)}_(i−2) ^((j+1))(z) ←      z ({tildeover (β)}_(i){tilde over (R)}_(i−2) ^((j))(z) − {tilde over(α)}_(i,j){tilde over (R)}_(i−1)(z))  9:  end for {close oversize brace}L₂ 10:  {tilde over (R)}_(i)(z) ← {tilde over (R)}_(i−2) ^((Δ)_(i)+1)(z), 11: end forExample of polynomial subtractions (Step 1) and multiplication of theoperand by z (Step 2):

z⁴ = (α⁴z² + z + α¹³)(α¹¹z² + α⁷z + α¹¹) + (α³z + α⁹)$\frac{\begin{matrix}{{z^{4}\mspace{14mu} \alpha^{11}z^{2}} + {\alpha^{7}z} + \alpha^{11}} \\{{\alpha^{11}\left( z^{4} \right)} - {z^{2}\left( {{\alpha^{11}z^{2}} + {\alpha^{7}z} + \alpha^{11}} \right)}}\end{matrix}}{{\alpha^{7}z^{3}} + {\alpha^{11}z^{2}}}$$\frac{{\alpha^{11}\left( {{\alpha^{7}z^{3}} + {\alpha^{11}z^{2}}} \right)} - {\alpha^{7}{z\left( {{\alpha^{11}z^{2}} + {\alpha^{7}z} + \alpha^{11}} \right)}}}{{\alpha \; z^{2}} + {\alpha^{3}z}}$$\frac{{\alpha^{11}\left( {{\alpha \; z^{2}} + {\alpha^{3}z}} \right)} - {\alpha \left( {{\alpha^{11}z^{2}} + {\alpha^{7}z} + \alpha^{11}} \right)}}{{\alpha^{6}z} + \alpha^{12}}$$\frac{\begin{matrix}{{z^{4}\mspace{14mu} \alpha^{11}z^{2}} + {\alpha^{7}z} + \alpha^{11}} \\{z\left( {{0\text{/}\left( z^{4} \right)} - {1 \times \left( {{\alpha^{11}z^{2}} + {\alpha^{7}z} + \alpha^{11}} \right)}} \right.}\end{matrix}}{{\alpha^{11}z^{5}} + {\alpha^{7}z^{2}} + {\alpha^{11}z^{1}}}$$\frac{z\left( {{0 \times \left( z^{4} \right)} - {1 \times \left( {{\alpha^{11}z^{3}} + {\alpha^{7}z^{2}} + {\alpha^{11}z^{1}}} \right)}} \right)}{{\alpha^{11}z^{4}} + {\alpha^{7}z^{3}} + {\alpha^{11}z^{2}}}$$\frac{z\left( {{\alpha^{11}\left( z^{4} \right)} - {1 \times \left( {{\alpha^{11}z^{4}} + {\alpha^{7}z^{3}} + {\alpha^{11}z^{2}}} \right)}} \right)}{{\alpha^{7}z^{4}} + {\alpha^{11}z^{3}}}$$\frac{z\left( {{\alpha^{7}\left( {{\alpha^{11}z^{4}} + {\alpha^{7}z^{3}} + {\alpha^{11}z^{2}}} \right)} - {\alpha^{11}\left( {{\alpha^{7}z^{4}} + {\alpha^{11}z^{3}}} \right)}} \right)}{{\alpha \; z^{4}} + {\alpha^{3}z^{3}}}$$\frac{z\left( {{\alpha \left( {{\alpha^{11}z^{4}} + {\alpha^{7}z^{3}} + {\alpha^{11}z^{2}}} \right)} - {\alpha^{11}\left( {{\alpha \; z^{4}} + {\alpha^{3}z^{3}}} \right)}} \right)}{{\alpha^{6}z^{4}} + {\alpha^{12}z^{3}}}$

Complete Regular Flow EEA.

To design a real constant flow algorithm, we merge the loops L1 and L2in a common pattern so as to be indistinguishable (Steps 5 to 7 of Alg.3). They differentiate by the assignments, which are performed in Steps14-15 and 18-19. To know when polynomials subtractions have to bestopped, we collect in a counter δ the number of shifts necessary tore-align the operands. To design an algorithm with regular pattern weuse the fact that Σ_(i) ^(N)δ_(i)=w(e)−1, therefore, the number ofiterations can be safely set to the maximum value (i.e., 2t to decodethe errors with w(e)=t)), and the while loop is replaced by a for loop.

Complete Regular Flow Extended Euclidean Algorithm (Alg. 3):

Input: a(z) = z^(2t), b(z) = S_(e)(z), d = 2t Output: Û_(d)(z) =μz^(d−w) ^(U) ^((e)+1) σ_(inv)(z), {circumflex over (R)}_(d)(z) =μz^(d−w) ^(U) ^((e)+1) ω_(e)(z) for some μ ∈ 

_(q) _(m) *.   1: {circumflex over (R)}⁻¹(z) ← a(z), {circumflex over(R)}₀(z) ← zb(z),   2: Û⁻¹(z) ← 1, Û₀(z) ← 0, $\left. \begin{matrix}{\mspace{14mu} {3\text{:}}} & \left. \delta\leftarrow{- 1.} \right. \\{\mspace{14mu} {4\text{:}}} & {{{{for}\mspace{14mu} j} = 1},\ldots \mspace{11mu},{d\mspace{14mu} {do}}} \\{\mspace{14mu} {5\text{:}}} & {\mspace{31mu} {\left. \alpha_{j}\leftarrow{\hat{R}}_{{j - 1},d} \right.,\left. \beta_{j}\leftarrow{{\hat{R}}_{{j - 2},d}.} \right.}} \\{\mspace{14mu} {6\text{:}}} & {\mspace{31mu} \left. {{temp}_{R}(z)}\leftarrow{{z\left( {{\alpha_{j}{{\hat{R}}_{j - 2}(z)}} - {\beta_{j}{{\hat{R}}_{j - 1}(z)}}} \right)}.} \right.} \\{\mspace{14mu} {7\text{:}}} & {\mspace{31mu} \left. {{temp}_{U}(z)}\leftarrow{{z\left( {{\alpha_{j}{{\hat{U}}_{j - 2}(z)}} - {\beta_{j}{{\hat{U}}_{j - 1}(z)}}} \right)}.} \right.} \\{\mspace{14mu} {8\text{:}}} & {\mspace{31mu} {{{if}\mspace{14mu} \alpha_{j}} = {0\mspace{14mu} \left( {{{ie}\mspace{14mu} {\deg \left( {\hat{R}}_{j - 1} \right)}} < {\deg \left( {\hat{R}}_{j - 2} \right)}} \right)\mspace{14mu} {then}}}} \\{\mspace{14mu} {9\text{:}}} & {\mspace{59mu} \left. \delta\leftarrow{\delta + 1.} \right.} \\{10\text{:}} & {\mspace{31mu} {else}} \\{11\text{:}} & {\mspace{59mu} \left. \delta\leftarrow{\delta - 1.} \right.} \\{12\text{:}} & {\mspace{31mu} {{end}\mspace{14mu} {if}}} \\{13\text{:}} & {\mspace{31mu} {{{if}\mspace{14mu} \delta} < {0\mspace{14mu} {then}}}} \\{14\text{:}} & {\mspace{59mu} \left. \left( {{{\hat{R}}_{j}(z)},{{\hat{R}}_{j - 1}(z)}} \right)\leftarrow\left( {{{\hat{R}}_{j - 1}(z)},{temp}_{R}} \right) \right.} \\{15\text{:}} & {\mspace{59mu} \left. \left( {{{\hat{U}}_{j}(z)},{{\hat{U}}_{j - 1}(z)}} \right)\leftarrow\left( {{{\hat{U}}_{j - 1}(z)},{temp}_{U}} \right) \right.} \\{16\text{:}} & {\mspace{59mu} \left. \delta\leftarrow 0. \right.} \\{17\text{:}} & {\mspace{31mu} {else}} \\{18\text{:}} & {\mspace{59mu} \left. \left( {{{\hat{R}}_{j}(z)},{{\hat{R}}_{j - 1}(z)}} \right)\leftarrow\left( {{temp}_{R},{{\hat{R}}_{j - 2}(z)}} \right) \right.} \\{19\text{:}} & {\mspace{59mu} \left. \left( {{{\hat{U}}_{j}(z)},{{\hat{U}}_{j - 1}(z)}} \right)\leftarrow\left( {{temp}_{U},{{\hat{U}}_{j - 2}(z)}} \right) \right.} \\{20\text{:}} & {\mspace{59mu} \left. \delta\leftarrow{\delta.} \right.} \\{21\text{:}} & {\mspace{31mu} {{end}\mspace{14mu} {if}}} \\{22\text{:}} & {{end}\mspace{14mu} {for}}\end{matrix} \right\} \mspace{14mu} L$  23: return Û_(d)(z),{circumflex over (R)}_(d)(z)

Proposition 2. (Comparison of standard EEA and modified regular flowEEA). For each I=1, . . . , N, after step 21 (FIG. 7), it holds that:

{circumflex over (R)} ₂(δ₁+ . . . +δ_(i))=z ^(d−d) ^(i−1) R _(i)(z)

Û ₂(δ₁+ . . . +δ_(i))=z ^(d−d) ^(i−1) U _(i)(z)

The outputs of Alg. 1 and Alg. 3 are related such as:

{circumflex over (R)} _(d)(z)=μz ^(d−w(e)+1) r _(N)(z)

Û _(d)(z)=μz ^(d−w(e)+1) u _(N)(z)

wherein w(e) is the Hamming weight of the error.

Therefore, provided 0 is not an element of the support x, then thealgorithm allows to recover the error positions without ambiguity.Transposing this result to Patterson decoding requires adapting bothEEA's. The adaptation of the second one is straightforward. For thefirst one (syndrome inversion), a problem arises: z can be multiplier ofthe output, and we found no way of determining when z is a factor ofS⁻¹(z) mod g.

CONCLUDING REMARKS

A technology has been presented which delinks the computation flow ofthe EEA algorithm from the inputs to the EEA algorithm as may berequired in certain code based cryptography systems, e.g., the McEliececryptosystem. EEA computation is, for example, required in thedecryption of McEliece codes. By utilizing such a regular flow EEAcomputation in a cryptography device, for example, a secure portabledevice, the cryptography device is less vulnerable to side-channelattack and, therefore, more secure when performing McEliece decryption.

Although specific embodiments of the invention have been described andillustrated, the invention is not to be limited to the specific forms orarrangements of parts so described and illustrated. The invention islimited only by the claims.

1. A method for protecting a cryptography device performing decryptionaccording to a specified encryption scheme, the decryption method usingan Extended Euclidean Algorithm, the method protecting the cryptographicdevice against side-channel attack by decrypting a code using a modifiedExtended Euclidean Algorithm, the cryptography device comprising aprocessor and memory, the method comprising: receiving by the processora code c, wherein c is a function of a key pair (having a public key anda secret key) and an error e; decrypting by the processor the code c byderiving the error e by: computing a polynomial syndrome S(z) which is aunivariate polynomial deduced from c, but depending only on e, using amodified Extended Euclidean Algorithm having inputs a(z), b(z), and d,where a(z) and b(z) are polynomials and d is a public parameter of theencryption scheme to compute an error locator polynomial σ(z), by:iteratively performing a computation L a number of times defined by theparameter d, the computation L performing a fixed number of arithmeticoperations regardless of Hamming weight of inputs a(z) and b(z), thearithmetic operations performing polynomial subtraction operationsresulting in a result related to the result of a standard ExtendedEuclidean Algorithm, finding by the processor roots of σ(z); andinferring by the processor the error e from the roots of σ(z).
 2. Themethod for protecting a cryptography device performing decryption usingan Extended Euclidean Algorithm against side-channel attack of claim 1wherein the modified Extended Euclidean Algorithm produces a resultrelated to the Extended Euclidean Algorithm formulated as follows:Extended Euclidean Algorithm (EEA): Input:  a(z), b(z), deg(a) ≧ deg(b),d_(fin) Output:  u(z), r(z) with b(z)u(z) = r(z)  mod a(z) and deg(r) ≦d_(fin)  1: r⁻¹(z) ← a(z), r₀(z) ← b(z),u⁻¹(z) ← 1, u₀(z) ← 0,  2: i ← 0 3: while deg(r_(i)(z)) > d_(fin) do  4:  i ← i + 1  5:  q_(i) ←r_(i−2)(z)/r_(i−1)(z)  6:  r_(i) ← r_(i−2)(z) − q_(i)(z)r_(i−1)(z) 7:  u_(i) ← u_(i−2)(z) − q_(i)(z)u_(i−1)(z)  8: end while  9: N ← i 10:return u_(N)(z), r_(N)(z)

wherein d_(fin)=½ d, i.e., d_(fin) equals to ½ the public parameter d ofthe encryption scheme, and the computation L is related to the whileloop in the Extended Euclidean Algorithm such that polynomials u_(n)(z)and r_(n)(z) may be derived from the outputs of the modified ExtendedEuclidean Algorithm.
 3. The method for protecting a cryptography deviceperforming decryption using an Extended Euclidean Algorithm againstside-channel attack of claim 2 wherein the operation L has the form:    1: {circumflex over (R)}⁻¹(z) ← a(z), {circumflex over (R)}₀(z) ←zb(z),   2: Û⁻¹(z) ← 1, Û₀(z) ← 0, $\left. \begin{matrix}{\mspace{14mu} {3\text{:}}} & \left. \delta\leftarrow{- 1.} \right. \\{\mspace{14mu} {4\text{:}}} & {{{{for}\mspace{14mu} j} = 1},\ldots \mspace{11mu},{d\mspace{14mu} {do}}} \\{\mspace{14mu} {5\text{:}}} & {\mspace{31mu} {\left. \alpha_{j}\leftarrow{\hat{R}}_{{j - 1},d} \right.,\left. \beta_{j}\leftarrow{{\hat{R}}_{{j - 2},d}.} \right.}} \\{\mspace{14mu} {6\text{:}}} & {\mspace{31mu} \left. {{temp}_{R}(z)}\leftarrow{{z\left( {{\alpha_{j}{{\hat{R}}_{j - 2}(z)}} - {\beta_{j}{{\hat{R}}_{j - 1}(z)}}} \right)}.} \right.} \\{\mspace{14mu} {7\text{:}}} & {\mspace{31mu} \left. {{temp}_{U}(z)}\leftarrow{{z\left( {{\alpha_{j}{{\hat{U}}_{j - 2}(z)}} - {\beta_{j}{{\hat{U}}_{j - 1}(z)}}} \right)}.} \right.} \\{\mspace{14mu} {8\text{:}}} & {\mspace{31mu} {{{if}\mspace{14mu} \alpha_{j}} = {0\mspace{14mu} \left( {{{ie}\mspace{14mu} {\deg \left( {\hat{R}}_{j - 1} \right)}} < {\deg \left( {\hat{R}}_{j - 2} \right)}} \right)\mspace{14mu} {then}}}} \\{\mspace{14mu} {9\text{:}}} & {\mspace{59mu} \left. \delta\leftarrow{\delta + 1.} \right.} \\{10\text{:}} & {\mspace{31mu} {else}} \\{11\text{:}} & {\mspace{59mu} \left. \delta\leftarrow{\delta - 1.} \right.} \\{12\text{:}} & {\mspace{31mu} {{end}\mspace{14mu} {if}}} \\{13\text{:}} & {\mspace{31mu} {{{if}\mspace{14mu} \delta} < {0\mspace{14mu} {then}}}} \\{14\text{:}} & {\mspace{59mu} \left. \left( {{{\hat{R}}_{j}(z)},{{\hat{R}}_{j - 1}(z)}} \right)\leftarrow\left( {{{\hat{R}}_{j - 1}(z)},{temp}_{R}} \right) \right.} \\{15\text{:}} & {\mspace{59mu} \left. \left( {{{\hat{U}}_{j}(z)},{{\hat{U}}_{j - 1}(z)}} \right)\leftarrow\left( {{{\hat{U}}_{j - 1}(z)},{temp}_{U}} \right) \right.} \\{16\text{:}} & {\mspace{59mu} \left. \delta\leftarrow
 0. \right.} \\{17\text{:}} & {\mspace{31mu} {else}} \\{18\text{:}} & {\mspace{59mu} \left. \left( {{{\hat{R}}_{j}(z)},{{\hat{R}}_{j - 1}(z)}} \right)\leftarrow\left( {{temp}_{R},{{\hat{R}}_{j - 2}(z)}} \right) \right.} \\{19\text{:}} & {\mspace{59mu} \left. \left( {{{\hat{U}}_{j}(z)},{{\hat{U}}_{j - 1}(z)}} \right)\leftarrow\left( {{temp}_{U},{{\hat{U}}_{j - 2}(z)}} \right) \right.} \\{20\text{:}} & {\mspace{59mu} \left. \delta\leftarrow{\delta.} \right.} \\{21\text{:}} & {\mspace{31mu} {{end}\mspace{14mu} {if}}} \\{22\text{:}} & {{end}\mspace{14mu} {for}}\end{matrix} \right\} \mspace{14mu} L$  23: return Û_(d)(z),{circumflex over (R)}_(d)(z).


4. The method for protecting a cryptography device performing decryptionusing an Extended Euclidean Algorithm against side-channel attack ofclaim 3 wherein r_(N)(z), and u_(N)(z), are related to {circumflex over(R)}_(d) (z) and Û_(d)(z) as follows:{circumflex over (R)} _(d)(z)=μz ^(d−w(e)+1) r _(N)(z)Û _(d)(z)=μz ^(d−w(e)+1) u _(N)(z)
 5. The method for protecting acryptography device performing decryption using an Extended EuclideanAlgorithm against side-channel attack of claim 1 wherein the EEA is usedin an Alternant decoder and the EEA is used to compute the error locatorpolynomial σ(z), wherein the polynomial a(z) is z^(2t) and thepolynomial b(z) is S(z), and d is 2t.s
 6. The method for protecting acryptography device performing decryption using an Extended EuclideanAlgorithm against side-channel attack of claim 1 wherein the EEA is usedin a Patterson algorithm decoder and the EEA is used to compute theerror locator polynomial σ(z), wherein the polynomial a(z) is g(z) andthe polynomial b(z) is τ, d=t, τ=√{square root over (S(z)⁻¹+1)} modg(z), and g(z) is a generator function from which the public key isgenerated.
 7. A cryptographic device protected against side-channelattacks, comprising: a processor; a memory connected to the processorand comprising instructions executable by the processor, theinstructions including instructions to cause the processor to: receivingby the processor a code c, wherein c is a function of a key pair (havinga public key and a secret key) and an error e; decrypting by theprocessor the code c by deriving the error e by: computing a polynomialsyndrome S(z) which is a univariate polynomial deduced from c, butdepending only on e, using a modified Extended Euclidean Algorithmhaving inputs a(z), b(z), and d, where a(z) and b(z) are polynomials andd is a public parameter of the encryption scheme to compute an errorlocator polynomial σ(z), by: iteratively performing a computation L anumber of times defined by the termination criteria d, the computation Lperforming a fixed number of arithmetic operations regardless of Hammingweight of inputs a(z) and b(z), the arithmetic operations performingpolynomial subtraction operations resulting in a result related to theresult of a standard Extended Euclidean Algorithm, finding by theprocessor roots of σ(z); and inferring by the processor the error e fromthe roots of σ(z).
 8. The cryptographic device protected againstside-channel attacks of claim 7 wherein the modified Extended EuclideanAlgorithm produces a result related to the Extended Euclidean Algorithmformulated as follows: Extended Euclidean Algorithm (EEA): Input:  a(z),b(z), deg(a) ≧ deg(b), d_(fin) Output:  u(z), r(z) with b(z)u(z) =r(z)  mod a(z) and deg(r) ≦ d_(fin)  1: r⁻¹(z) ← a(z), r₀(z) ←b(z),u⁻¹(z) ← 1, u₀(z) ← 0,  2: i ← 0  3: while deg(r_(i)(z)) > d_(fin)do  4:  i ← i + 1  5:  q_(i) ← r_(i−2)(z)/r_(i−1)(z)  6:  r_(i) ←r_(i−2)(z) − q_(i)(z)r_(i−1)(z)  7:  u_(i) ← u_(i−2)(z) −q_(i)(z)u_(i−1)(z)  8: end while  9: N ← i 10: return u_(N)(z), r_(N)(z)

and the computation L is related to the while loop in the ExtendedEuclidean Algorithm such that polynomials u_(n)(z) and r_(n)(z) may bederived from the outputs of the modified Extended Euclidean Algorithm.9. The cryptographic device protected against side-channel attacks ofclaim 8 wherein the operation L has the form:     1: {circumflex over(R)}⁻¹(z) ← a(z), {circumflex over (R)}₀(z) ← zb(z),   2: Û⁻¹(z) ← 1,Û₀(z) ← 0, $\left. \begin{matrix}{\mspace{14mu} {3\text{:}}} & \left. \delta\leftarrow{- 1.} \right. \\{\mspace{14mu} {4\text{:}}} & {{{{for}\mspace{14mu} j} = 1},\ldots \mspace{11mu},{d\mspace{14mu} {do}}} \\{\mspace{14mu} {5\text{:}}} & {\mspace{31mu} {\left. \alpha_{j}\leftarrow{\hat{R}}_{{j - 1},d} \right.,\left. \beta_{j}\leftarrow{{\hat{R}}_{{j - 2},d}.} \right.}} \\{\mspace{14mu} {6\text{:}}} & {\mspace{31mu} \left. {{temp}_{R}(z)}\leftarrow{{z\left( {{\alpha_{j}{{\hat{R}}_{j - 2}(z)}} - {\beta_{j}{{\hat{R}}_{j - 1}(z)}}} \right)}.} \right.} \\{\mspace{14mu} {7\text{:}}} & {\mspace{31mu} \left. {{temp}_{U}(z)}\leftarrow{{z\left( {{\alpha_{j}{{\hat{U}}_{j - 2}(z)}} - {\beta_{j}{{\hat{U}}_{j - 1}(z)}}} \right)}.} \right.} \\{\mspace{14mu} {8\text{:}}} & {\mspace{31mu} {{{if}\mspace{14mu} \alpha_{j}} = {0\mspace{14mu} \left( {{{ie}\mspace{14mu} {\deg \left( {\hat{R}}_{j - 1} \right)}} < {\deg \left( {\hat{R}}_{j - 2} \right)}} \right)\mspace{14mu} {then}}}} \\{\mspace{14mu} {9\text{:}}} & {\mspace{59mu} \left. \delta\leftarrow{\delta + 1.} \right.} \\{10\text{:}} & {\mspace{31mu} {else}} \\{11\text{:}} & {\mspace{59mu} \left. \delta\leftarrow{\delta - 1.} \right.} \\{12\text{:}} & {\mspace{31mu} {{end}\mspace{14mu} {if}}} \\{13\text{:}} & {\mspace{31mu} {{{if}\mspace{14mu} \delta} < {0\mspace{14mu} {then}}}} \\{14\text{:}} & {\mspace{59mu} \left. \left( {{{\hat{R}}_{j}(z)},{{\hat{R}}_{j - 1}(z)}} \right)\leftarrow\left( {{{\hat{R}}_{j - 1}(z)},{temp}_{R}} \right) \right.} \\{15\text{:}} & {\mspace{59mu} \left. \left( {{{\hat{U}}_{j}(z)},{{\hat{U}}_{j - 1}(z)}} \right)\leftarrow\left( {{{\hat{U}}_{j - 1}(z)},{temp}_{U}} \right) \right.} \\{16\text{:}} & {\mspace{59mu} \left. \delta\leftarrow
 0. \right.} \\{17\text{:}} & {\mspace{31mu} {else}} \\{18\text{:}} & {\mspace{59mu} \left. \left( {{{\hat{R}}_{j}(z)},{{\hat{R}}_{j - 1}(z)}} \right)\leftarrow\left( {{temp}_{R},{{\hat{R}}_{j - 2}(z)}} \right) \right.} \\{19\text{:}} & {\mspace{59mu} \left. \left( {{{\hat{U}}_{j}(z)},{{\hat{U}}_{j - 1}(z)}} \right)\leftarrow\left( {{temp}_{U},{{\hat{U}}_{j - 2}(z)}} \right) \right.} \\{20\text{:}} & {\mspace{59mu} \left. \delta\leftarrow{\delta.} \right.} \\{21\text{:}} & {\mspace{31mu} {{end}\mspace{14mu} {if}}} \\{22\text{:}} & {{end}\mspace{14mu} {for}}\end{matrix} \right\} \mspace{14mu} L$  23: return Û_(d)(z),{circumflex over (R)}_(d)(z).


10. The cryptographic device protected against side-channel attacks ofclaim 8 wherein r_(n)(z), and u_(n)(z), are related to {circumflex over(R)}_(d)(z) and Û_(d)(z) as follows:{circumflex over (R)} _(d)(z)=μz ^(d−w(e)+1) r _(N)(z)Û _(d)(z)=μz ^(d−w(e)+1) u _(N)(z)
 11. The cryptographic deviceprotected against side-channel attacks of claim 7 wherein the EEA isused in an Alternant decoder and the EEA is used to compute the errorlocator polynomial σ(z), wherein the polynomial σ(z) is z^(2t), thepolynomial b(z) is S(z), and d is 2t.
 12. The cryptographic deviceprotected against side-channel attacks of claim 7 wherein the EEA isused in a Patterson algorithm decoder and the EEA is used to compute theerror locator polynomial σ(z), wherein the polynomial a(z) is g(z) andthe polynomial b(z) is τ, d is t, √{square root over (τ=S(z)⁻¹+1)} modg(z), and g(z) is a generator function from which the public key isgenerated.
 13. The cryptographic device protected against side-channelattacks of claim 7 wherein the cryptographic device is a smart card. 14.The cryptographic device protected against side-channel attacks of claim7 wherein the cryptographic device is a mobile device.
 15. A computerreadable storage medium storing instructions operable to cause aprocessor of a cryptographic device, when loaded onto and executed bythe processor of the cryptographic device, to: receive a code c, whereinc is a function of a key pair (having a public key and a secret key) andan error e; decrypt the code c by deriving the error e by: computing apolynomial syndrome S(z) which is a univariate polynomial deduced fromc, but depending only on e, using a modified Extended EuclideanAlgorithm having inputs a(z), b(z), and d, where a(z) and b(z) arepolynomials and d is a public parameter of the encryption scheme tocompute an error locator polynomial σ(z), by: iteratively performing acomputation L a number of times defined by the termination criteria d,the computation L performing a fixed number of arithmetic operationsregardless of Hamming weight of inputs a(z) and b(z), the arithmeticoperations performing polynomial subtraction operations resulting in aresult related to the result of a standard Extended Euclidean Algorithm,finding by the processor roots of σ(z); and inferring by the processorthe error e from the roots of σ(z).
 16. The computer readable storagemedium of claim 15 wherein the modified Extended Euclidean Algorithmproduces a result related to the Extended Euclidean Algorithm formulatedas follows: Extended Euclidean Algorithm (EEA): Input:  a(z), b(z),deg(a) ≧ deg(b), d_(fin) Output:  u(z), r(z) with b(z)u(z) = r(z)  moda(z) and deg(r) ≦ d_(fin)  1: r⁻¹(z) ← a(z), r₀(z) ← b(z),u⁻¹(z) ← 1,u₀(z) ← 0,  2: i ← 0  3: while deg(r_(i)(z)) > d_(fin) do  4:  i ← i + 1 5:  q_(i) ← r_(i−2)(z)/r_(i−1)(z)  6:  r_(i) ← r_(i−2)(z) −q_(i)(z)r_(i−1)(z)  7:  u_(i) ← u_(i−2)(z) − q_(i)(z)u_(i−1)(z)  8: endwhile  9: N ← i 10: return u_(N)(z), r_(N)(z)

and the computation L is equivalent to the while loop in the ExtendedEuclidean Algorithm such that polynomials u_(n) (z) and r_(n)(z) may bederived from the outputs of the modified Extended Euclidean Algorithm.17. The computer readable storage medium of claim 16 wherein theoperation L has the form:     1: {circumflex over (R)}⁻¹(z) ← a(z),{circumflex over (R)}₀(z) ← zb(z),   2: Û⁻¹(z) ← 1, Û₀(z) ← 0,$\left. \begin{matrix}{\mspace{14mu} {3\text{:}}} & \left. \delta\leftarrow{- 1.} \right. \\{\mspace{14mu} {4\text{:}}} & {{{{for}\mspace{14mu} j} = 1},\ldots \mspace{11mu},{d\mspace{14mu} {do}}} \\{\mspace{14mu} {5\text{:}}} & {\mspace{31mu} {\left. \alpha_{j}\leftarrow{\hat{R}}_{{j - 1},d} \right.,\left. \beta_{j}\leftarrow{{\hat{R}}_{{j - 2},d}.} \right.}} \\{\mspace{14mu} {6\text{:}}} & {\mspace{31mu} \left. {{temp}_{R}(z)}\leftarrow{{z\left( {{\alpha_{j}{{\hat{R}}_{j - 2}(z)}} - {\beta_{j}{{\hat{R}}_{j - 1}(z)}}} \right)}.} \right.} \\{\mspace{14mu} {7\text{:}}} & {\mspace{31mu} \left. {{temp}_{U}(z)}\leftarrow{{z\left( {{\alpha_{j}{{\hat{U}}_{j - 2}(z)}} - {\beta_{j}{{\hat{U}}_{j - 1}(z)}}} \right)}.} \right.} \\{\mspace{14mu} {8\text{:}}} & {\mspace{31mu} {{{if}\mspace{14mu} \alpha_{j}} = {0\mspace{14mu} \left( {{{ie}\mspace{14mu} {\deg \left( {\hat{R}}_{j - 1} \right)}} < {\deg \left( {\hat{R}}_{j - 2} \right)}} \right)\mspace{14mu} {then}}}} \\{\mspace{14mu} {9\text{:}}} & {\mspace{59mu} \left. \delta\leftarrow{\delta + 1.} \right.} \\{10\text{:}} & {\mspace{31mu} {else}} \\{11\text{:}} & {\mspace{59mu} \left. \delta\leftarrow{\delta - 1.} \right.} \\{12\text{:}} & {\mspace{31mu} {{end}\mspace{14mu} {if}}} \\{13\text{:}} & {\mspace{31mu} {{{if}\mspace{14mu} \delta} < {0\mspace{14mu} {then}}}} \\{14\text{:}} & {\mspace{59mu} \left. \left( {{{\hat{R}}_{j}(z)},{{\hat{R}}_{j - 1}(z)}} \right)\leftarrow\left( {{{\hat{R}}_{j - 1}(z)},{temp}_{R}} \right) \right.} \\{15\text{:}} & {\mspace{59mu} \left. \left( {{{\hat{U}}_{j}(z)},{{\hat{U}}_{j - 1}(z)}} \right)\leftarrow\left( {{{\hat{U}}_{j - 1}(z)},{temp}_{U}} \right) \right.} \\{16\text{:}} & {\mspace{59mu} \left. \delta\leftarrow
 0. \right.} \\{17\text{:}} & {\mspace{31mu} {else}} \\{18\text{:}} & {\mspace{59mu} \left. \left( {{{\hat{R}}_{j}(z)},{{\hat{R}}_{j - 1}(z)}} \right)\leftarrow\left( {{temp}_{R},{{\hat{R}}_{j - 2}(z)}} \right) \right.} \\{19\text{:}} & {\mspace{59mu} \left. \left( {{{\hat{U}}_{j}(z)},{{\hat{U}}_{j - 1}(z)}} \right)\leftarrow\left( {{temp}_{U},{{\hat{U}}_{j - 2}(z)}} \right) \right.} \\{20\text{:}} & {\mspace{59mu} \left. \delta\leftarrow{\delta.} \right.} \\{21\text{:}} & {\mspace{31mu} {{end}\mspace{14mu} {if}}} \\{22\text{:}} & {{end}\mspace{14mu} {for}}\end{matrix} \right\} \mspace{14mu} L$  23: return Û_(d)(z),{circumflex over (R)}_(d)(z).


18. The computer readable storage medium of claim 16 wherein r_(n)(z),and u_(n)(z), are related to {circumflex over (R)}_(d) (z) and Û_(d) (z)as follows:{circumflex over (R)} _(d)(z)=μz ^(d−w(e)+1) r _(N)(z)Û _(d)(z)=μz ^(d−w(e)+1) u _(N)(z)
 19. The computer readable storagemedium of claim 15 wherein the EEA is used in an Alternant decoder andthe EEA is used to compute the error locator polynomial σ(z), whereinthe polynomial a(z) is z^(2t), the polynomial b(z) is S(z), and d=2t.20. The computer readable storage medium of claim 15 wherein the EEA isused in a Patterson algorithm decoder and the EEA is used to compute theerror locator polynomial σ(z), wherein the polynomial a(z) is g(z) andthe polynomial b(z) is τ; d is t and wherein τ=√{square root over(S(z)⁻¹+1)} mod g(z) and g(z) is a generator function from which thepublic key is generated.